vovuas2003/linux-auth
1
0
Fork 0
forked from nihonium/linux-auth
Code Pull requests Activity

fix and run govulncheck

Browse source
This commit is contained in:
vovuas2003 2026-05-14 15:07:51 +03:00
parent 5220fca398
commit 5fa0ca0444
6 changed files with 334 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -236,6 +236,8 @@ bash scripts run_sast_sarif.sh
## Анализ зависимостей на известные уязвимости ## Анализ зависимостей на известные уязвимости
Используется версия govulncheck 1.1.4, т.к. следующие (1.2.0, 1.3.0) требуют Go версии 1.25.
1. cd govulncheck 1. cd govulncheck
2. ./install.sh 2. ./install.sh

11
analysis_report.md
View file

@ -14,7 +14,7 @@ Go версии 1.24, Debian 13.
* Gosec - ориентирован на поиск проблем с безопасностью, нашёл (как и bearer) проблему с путём загрузки конфига и (в отличие от bearer) предложил способ исправления. * Gosec - ориентирован на поиск проблем с безопасностью, нашёл (как и bearer) проблему с путём загрузки конфига и (в отличие от bearer) предложил способ исправления.
* Golangci-lint - больше линтер, нежели статический анализатор, указал только на возможную замену if с условием "ИЛИ" на switch (я считаю, что это false positive). * Golangci-lint - больше линтер, нежели статический анализатор, указал только на возможную замену if с условием, содержащем "ИЛИ", на switch (я считаю, что это false positive).
* Svace (svacer) - проприетарный инструмент, который был развёрнут во внутренней сети компании и был также использован, но не был включён в итоги; * Svace (svacer) - проприетарный инструмент, который был развёрнут во внутренней сети компании и был также использован, но не был включён в итоги;
было одно срабатывание на код самого приложения и достаточно много - на использованные модули; по моему мнению, все срабатывания - false positive. было одно срабатывание на код самого приложения и достаточно много - на использованные модули; по моему мнению, все срабатывания - false positive.
@ -45,3 +45,12 @@ Go хорош тем, что не даёт скомпилировать прог
* golang.org/x/term - библиотека для функций работы с терминалом, используется для скрытия пароля при его вводе * golang.org/x/term - библиотека для функций работы с терминалом, используется для скрытия пароля при его вводе
* golang.org/x/sys - зависимость golang.org/x/term для низкоуровневой работы с ОС * golang.org/x/sys - зависимость golang.org/x/term для низкоуровневой работы с ОС
Анализ зависимостей на известные уязвимости с помощью утилиты govulncheck дал такой результат (это именно вызовы уязвимых функций, подробнее см. в директории govulncheck):
Vulnerability #1: GO-2026-4341 Memory exhaustion in query parameter parsing in net/url (More info: https://pkg.go.dev/vuln/GO-2026-4341)
Vulnerability #2: GO-2025-3849 Incorrect results returned from Rows.Scan in database/sql (More info: https://pkg.go.dev/vuln/GO-2025-3849)
Your code is affected by 2 vulnerabilities from the Go standard library.
This scan also found 4 vulnerabilities in packages you import and 29 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities.

2
govulncheck/install.sh Normal file → Executable file
View file

@ -1,3 +1,3 @@
#!/bin/bash #!/bin/bash
go install golang.org/x/vuln/cmd/govulncheck@latest go install golang.org/x/vuln/cmd/govulncheck@v1.1.4

25
govulncheck/results.txt Normal file
View file

@ -0,0 +1,25 @@
=== Symbol Results ===
Vulnerability #1: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
More info: https://pkg.go.dev/vuln/GO-2026-4341
Standard library
Found in: net/url@go1.24.4
Fixed in: net/url@go1.24.12
Example traces found:
#1: internal/db/sqlite.go:32:26: db.Init calls sql.Open, which eventually calls url.ParseQuery
Vulnerability #2: GO-2025-3849
Incorrect results returned from Rows.Scan in database/sql
More info: https://pkg.go.dev/vuln/GO-2025-3849
Standard library
Found in: database/sql@go1.24.4
Fixed in: database/sql@go1.24.6
Example traces found:
#1: internal/db/sqlite.go:89:17: db.GetUser calls sql.Row.Scan
Your code is affected by 2 vulnerabilities from the Go standard library.
This scan also found 4 vulnerabilities in packages you import and 29
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

7
govulncheck/run.sh Normal file → Executable file
View file

@ -1,3 +1,8 @@
#!/bin/bash #!/bin/bash
govulncheck ../... export PATH=$PATH:$HOME/go/bin
govulncheck ../... | tee results.txt
printf "\nАнализ известных уязвимостей в использованных библиотечных функциях завершён, результаты на экране продублированы в results.txt\nЗапуск подробного анализа (-show verbose)\n"
govulncheck -show verbose ../... > verbose_results.txt
printf "\nПодробный анализ завершён, его результаты сохранены в verbose_resulsts.txt\n"

290
govulncheck/verbose_results.txt Normal file
View file

@ -0,0 +1,290 @@
Fetching vulnerabilities from the database...
Checking the code against the vulnerabilities...
The package pattern matched the following 10 root packages:
linux-auth/internal/db
linux-auth/internal/utils
linux-auth/cmd/add_user
linux-auth/internal/auth
linux-auth/internal/config
linux-auth/internal/ui
linux-auth/cmd/authapp
linux-auth/cmd/init_users
linux-auth/golang-fuzz
linux-auth/myfuzz
Govulncheck scanned the following 5 modules and the go1.24.4 standard library:
linux-auth
github.com/mattn/go-sqlite3@v1.14.33
github.com/pelletier/go-toml/v2@v2.2.4
golang.org/x/sys@v0.39.0
golang.org/x/term@v0.38.0
=== Symbol Results ===
Vulnerability #1: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
More info: https://pkg.go.dev/vuln/GO-2026-4341
Standard library
Found in: net/url@go1.24.4
Fixed in: net/url@go1.24.12
Example traces found:
#1: internal/db/sqlite.go:32:26: db.Init calls sql.Open, which eventually calls url.ParseQuery
Vulnerability #2: GO-2025-3849
Incorrect results returned from Rows.Scan in database/sql
More info: https://pkg.go.dev/vuln/GO-2025-3849
Standard library
Found in: database/sql@go1.24.4
Fixed in: database/sql@go1.24.6
Example traces found:
#1: internal/db/sqlite.go:89:17: db.GetUser calls sql.Row.Scan
=== Package Results ===
Vulnerability #1: GO-2026-4864
TOCTOU permits root escape on Linux via Root.Chmod in os in
internal/syscall/unix
More info: https://pkg.go.dev/vuln/GO-2026-4864
Standard library
Found in: internal/syscall/unix@go1.24.4
Fixed in: internal/syscall/unix@go1.25.9
Platforms: linux
Vulnerability #2: GO-2026-4602
FileInfo can escape from a Root in os
More info: https://pkg.go.dev/vuln/GO-2026-4602
Standard library
Found in: os@go1.24.4
Fixed in: os@go1.25.8
Vulnerability #3: GO-2026-4601
Incorrect parsing of IPv6 host literals in net/url
More info: https://pkg.go.dev/vuln/GO-2026-4601
Standard library
Found in: net/url@go1.24.4
Fixed in: net/url@go1.25.8
Vulnerability #4: GO-2025-4010
Insufficient validation of bracketed IPv6 hostnames in net/url
More info: https://pkg.go.dev/vuln/GO-2025-4010
Standard library
Found in: net/url@go1.24.4
Fixed in: net/url@go1.24.8
=== Module Results ===
Vulnerability #1: GO-2026-4986
Quadratic string concatentation in consumeComment in net/mail
More info: https://pkg.go.dev/vuln/GO-2026-4986
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.10
Vulnerability #2: GO-2026-4982
Bypass of meta content URL escaping causes XSS in html/template
More info: https://pkg.go.dev/vuln/GO-2026-4982
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.10
Vulnerability #3: GO-2026-4981
Crash when handling long CNAME response in net
More info: https://pkg.go.dev/vuln/GO-2026-4981
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.10
Vulnerability #4: GO-2026-4980
Escaper bypass leads to XSS in html/template
More info: https://pkg.go.dev/vuln/GO-2026-4980
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.10
Vulnerability #5: GO-2026-4977
Quadratic string concatenation in consumePhrase in net/mail
More info: https://pkg.go.dev/vuln/GO-2026-4977
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.10
Vulnerability #6: GO-2026-4976
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in
net/http/httputil
More info: https://pkg.go.dev/vuln/GO-2026-4976
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.10
Vulnerability #7: GO-2026-4971
Panic in Dial and LookupPort when handling NUL byte on Windows in net
More info: https://pkg.go.dev/vuln/GO-2026-4971
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.10
Vulnerability #8: GO-2026-4947
Unexpected work during chain building in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2026-4947
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.9
Vulnerability #9: GO-2026-4946
Inefficient policy validation in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2026-4946
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.9
Vulnerability #10: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in
net/http/internal/http2 in golang.org/x/net
More info: https://pkg.go.dev/vuln/GO-2026-4918
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.10
Vulnerability #11: GO-2026-4870
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection
retention and DoS in crypto/tls
More info: https://pkg.go.dev/vuln/GO-2026-4870
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.9
Vulnerability #12: GO-2026-4869
Unbounded allocation for old GNU sparse in archive/tar
More info: https://pkg.go.dev/vuln/GO-2026-4869
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.9
Vulnerability #13: GO-2026-4865
JsBraceDepth Context Tracking Bugs (XSS) in html/template
More info: https://pkg.go.dev/vuln/GO-2026-4865
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.9
Vulnerability #14: GO-2026-4603
URLs in meta content attribute actions are not escaped in html/template
More info: https://pkg.go.dev/vuln/GO-2026-4603
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.25.8
Vulnerability #15: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
More info: https://pkg.go.dev/vuln/GO-2026-4342
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.12
Vulnerability #16: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in
crypto/tls
More info: https://pkg.go.dev/vuln/GO-2026-4340
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.12
Vulnerability #17: GO-2026-4337
Unexpected session resumption in crypto/tls
More info: https://pkg.go.dev/vuln/GO-2026-4337
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.13
Vulnerability #18: GO-2025-4175
Improper application of excluded DNS name constraints when verifying
wildcard names in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4175
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.11
Vulnerability #19: GO-2025-4155
Excessive resource consumption when printing error string for host
certificate validation in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4155
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.11
Vulnerability #20: GO-2025-4015
Excessive CPU consumption in Reader.ReadResponse in net/textproto
More info: https://pkg.go.dev/vuln/GO-2025-4015
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.8
Vulnerability #21: GO-2025-4014
Unbounded allocation when parsing GNU sparse map in archive/tar
More info: https://pkg.go.dev/vuln/GO-2025-4014
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.8
Vulnerability #22: GO-2025-4013
Panic when validating certificates with DSA public keys in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4013
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.8
Vulnerability #23: GO-2025-4012
Lack of limit when parsing cookies can cause memory exhaustion in net/http
More info: https://pkg.go.dev/vuln/GO-2025-4012
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.8
Vulnerability #24: GO-2025-4011
Parsing DER payload can cause memory exhaustion in encoding/asn1
More info: https://pkg.go.dev/vuln/GO-2025-4011
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.8
Vulnerability #25: GO-2025-4009
Quadratic complexity when parsing some invalid inputs in encoding/pem
More info: https://pkg.go.dev/vuln/GO-2025-4009
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.8
Vulnerability #26: GO-2025-4008
ALPN negotiation error contains attacker controlled information in
crypto/tls
More info: https://pkg.go.dev/vuln/GO-2025-4008
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.8
Vulnerability #27: GO-2025-4007
Quadratic complexity when checking name constraints in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4007
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.9
Vulnerability #28: GO-2025-4006
Excessive CPU consumption in ParseAddress in net/mail
More info: https://pkg.go.dev/vuln/GO-2025-4006
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.8
Vulnerability #29: GO-2025-3956
Unexpected paths returned from LookPath in os/exec
More info: https://pkg.go.dev/vuln/GO-2025-3956
Standard library
Found in: stdlib@go1.24.4
Fixed in: stdlib@go1.24.6
Your code is affected by 2 vulnerabilities from the Go standard library.
This scan also found 4 vulnerabilities in packages you import and 29
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.